Analysis
-
max time kernel
42s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
08-08-2023 09:27
Static task
static1
Behavioral task
behavioral1
Sample
a1e9bdbabd0a6e1065ad0c87c56d1300.exe
Resource
win7-20230712-en
General
-
Target
a1e9bdbabd0a6e1065ad0c87c56d1300.exe
-
Size
384KB
-
MD5
a1e9bdbabd0a6e1065ad0c87c56d1300
-
SHA1
6228d0b77e7a646f3080fffdf1e547a1cea8bfd2
-
SHA256
0e9ebffdac31f5df08227a8cf888c9ae92429fbb2a26ff285d3ce24e231a65bd
-
SHA512
84e00c71221f85245dc96c054a4e3a27a40fefb489d71834310a5f2622fc798db00ca15fc38b7d004daa76ad466729deb3c007a6941fa391888552de06c794c0
-
SSDEEP
6144:mHD512cGAw1hen2wHco0NP/WUH5GXzHcZmZa:mjP2cG51hYTHf09n5GD8QA
Malware Config
Extracted
redline
LogsDiller Cloud (TG: @logsdillabot)
209.250.248.11:33522
-
auth_value
3a050df92d0cf082b2cdaf87863616be
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Downloads MZ/PE file
-
Stops running service(s) 3 TTPs
-
Executes dropped EXE 4 IoCs
pid Process 3040 mi.exe 1972 cli.exe 1836 setup.exe 744 cc.exe -
Loads dropped DLL 6 IoCs
pid Process 2524 a1e9bdbabd0a6e1065ad0c87c56d1300.exe 2524 a1e9bdbabd0a6e1065ad0c87c56d1300.exe 3040 mi.exe 2524 a1e9bdbabd0a6e1065ad0c87c56d1300.exe 1788 WerFault.exe 1788 WerFault.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/files/0x000f000000016244-149.dat themida behavioral1/files/0x000f000000016244-151.dat themida behavioral1/files/0x000f000000016244-153.dat themida behavioral1/memory/1836-156-0x000000013FD70000-0x0000000140F96000-memory.dmp themida behavioral1/memory/1836-157-0x000000013FD70000-0x0000000140F96000-memory.dmp themida behavioral1/memory/1836-159-0x000000013FD70000-0x0000000140F96000-memory.dmp themida behavioral1/memory/1836-160-0x000000013FD70000-0x0000000140F96000-memory.dmp themida behavioral1/files/0x0007000000016320-167.dat themida behavioral1/files/0x0007000000016320-164.dat themida behavioral1/memory/1836-161-0x000000013FD70000-0x0000000140F96000-memory.dmp themida behavioral1/memory/1836-163-0x000000013FD70000-0x0000000140F96000-memory.dmp themida behavioral1/memory/744-168-0x0000000000C80000-0x00000000012B4000-memory.dmp themida behavioral1/memory/744-173-0x0000000000C80000-0x00000000012B4000-memory.dmp themida behavioral1/memory/1836-171-0x000000013FD70000-0x0000000140F96000-memory.dmp themida behavioral1/memory/1836-211-0x000000013FD70000-0x0000000140F96000-memory.dmp themida behavioral1/memory/744-224-0x0000000000C80000-0x00000000012B4000-memory.dmp themida behavioral1/memory/1836-351-0x000000013FD70000-0x0000000140F96000-memory.dmp themida behavioral1/files/0x000f000000016244-448.dat themida behavioral1/memory/1836-464-0x000000013FD70000-0x0000000140F96000-memory.dmp themida behavioral1/files/0x000500000001c72f-541.dat themida behavioral1/memory/700-542-0x000000013F710000-0x0000000140936000-memory.dmp themida behavioral1/files/0x000500000001c72f-544.dat themida behavioral1/memory/668-549-0x000000013F710000-0x0000000140936000-memory.dmp themida behavioral1/memory/668-614-0x000000013F710000-0x0000000140936000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 1836 setup.exe 744 cc.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1972 set thread context of 1200 1972 cli.exe 33 -
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2732 sc.exe 300 sc.exe 1824 sc.exe 2200 sc.exe 1796 sc.exe 2904 sc.exe 868 sc.exe 2436 sc.exe 1988 sc.exe 524 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1788 1972 WerFault.exe 30 -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1656 schtasks.exe 2012 schtasks.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 a1e9bdbabd0a6e1065ad0c87c56d1300.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 a1e9bdbabd0a6e1065ad0c87c56d1300.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 a1e9bdbabd0a6e1065ad0c87c56d1300.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 a1e9bdbabd0a6e1065ad0c87c56d1300.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 a1e9bdbabd0a6e1065ad0c87c56d1300.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 a1e9bdbabd0a6e1065ad0c87c56d1300.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2524 a1e9bdbabd0a6e1065ad0c87c56d1300.exe 2524 a1e9bdbabd0a6e1065ad0c87c56d1300.exe 2524 a1e9bdbabd0a6e1065ad0c87c56d1300.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2524 a1e9bdbabd0a6e1065ad0c87c56d1300.exe Token: SeShutdownPrivilege 1348 chrome.exe Token: SeShutdownPrivilege 1348 chrome.exe Token: SeShutdownPrivilege 1348 chrome.exe Token: SeShutdownPrivilege 1348 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2524 wrote to memory of 3040 2524 a1e9bdbabd0a6e1065ad0c87c56d1300.exe 29 PID 2524 wrote to memory of 3040 2524 a1e9bdbabd0a6e1065ad0c87c56d1300.exe 29 PID 2524 wrote to memory of 3040 2524 a1e9bdbabd0a6e1065ad0c87c56d1300.exe 29 PID 2524 wrote to memory of 3040 2524 a1e9bdbabd0a6e1065ad0c87c56d1300.exe 29 PID 2524 wrote to memory of 1972 2524 a1e9bdbabd0a6e1065ad0c87c56d1300.exe 30 PID 2524 wrote to memory of 1972 2524 a1e9bdbabd0a6e1065ad0c87c56d1300.exe 30 PID 2524 wrote to memory of 1972 2524 a1e9bdbabd0a6e1065ad0c87c56d1300.exe 30 PID 2524 wrote to memory of 1972 2524 a1e9bdbabd0a6e1065ad0c87c56d1300.exe 30 PID 3040 wrote to memory of 1836 3040 mi.exe 31 PID 3040 wrote to memory of 1836 3040 mi.exe 31 PID 3040 wrote to memory of 1836 3040 mi.exe 31 PID 3040 wrote to memory of 1836 3040 mi.exe 31 PID 2524 wrote to memory of 744 2524 a1e9bdbabd0a6e1065ad0c87c56d1300.exe 32 PID 2524 wrote to memory of 744 2524 a1e9bdbabd0a6e1065ad0c87c56d1300.exe 32 PID 2524 wrote to memory of 744 2524 a1e9bdbabd0a6e1065ad0c87c56d1300.exe 32 PID 2524 wrote to memory of 744 2524 a1e9bdbabd0a6e1065ad0c87c56d1300.exe 32 PID 744 wrote to memory of 1348 744 cc.exe 35 PID 744 wrote to memory of 1348 744 cc.exe 35 PID 744 wrote to memory of 1348 744 cc.exe 35 PID 744 wrote to memory of 1348 744 cc.exe 35 PID 1972 wrote to memory of 1200 1972 cli.exe 33 PID 1972 wrote to memory of 1200 1972 cli.exe 33 PID 1972 wrote to memory of 1200 1972 cli.exe 33 PID 1972 wrote to memory of 1200 1972 cli.exe 33 PID 1972 wrote to memory of 1200 1972 cli.exe 33 PID 1972 wrote to memory of 1200 1972 cli.exe 33 PID 1972 wrote to memory of 1200 1972 cli.exe 33 PID 1348 wrote to memory of 976 1348 chrome.exe 36 PID 1348 wrote to memory of 976 1348 chrome.exe 36 PID 1348 wrote to memory of 976 1348 chrome.exe 36 PID 1972 wrote to memory of 1200 1972 cli.exe 33 PID 1972 wrote to memory of 1200 1972 cli.exe 33 PID 1972 wrote to memory of 1788 1972 cli.exe 38 PID 1972 wrote to memory of 1788 1972 cli.exe 38 PID 1972 wrote to memory of 1788 1972 cli.exe 38 PID 1972 wrote to memory of 1788 1972 cli.exe 38 PID 1348 wrote to memory of 860 1348 chrome.exe 39 PID 1348 wrote to memory of 860 1348 chrome.exe 39 PID 1348 wrote to memory of 860 1348 chrome.exe 39 PID 1348 wrote to memory of 860 1348 chrome.exe 39 PID 1348 wrote to memory of 860 1348 chrome.exe 39 PID 1348 wrote to memory of 860 1348 chrome.exe 39 PID 1348 wrote to memory of 860 1348 chrome.exe 39 PID 1348 wrote to memory of 860 1348 chrome.exe 39 PID 1348 wrote to memory of 860 1348 chrome.exe 39 PID 1348 wrote to memory of 860 1348 chrome.exe 39 PID 1348 wrote to memory of 860 1348 chrome.exe 39 PID 1348 wrote to memory of 860 1348 chrome.exe 39 PID 1348 wrote to memory of 860 1348 chrome.exe 39 PID 1348 wrote to memory of 860 1348 chrome.exe 39 PID 1348 wrote to memory of 860 1348 chrome.exe 39 PID 1348 wrote to memory of 860 1348 chrome.exe 39 PID 1348 wrote to memory of 860 1348 chrome.exe 39 PID 1348 wrote to memory of 860 1348 chrome.exe 39 PID 1348 wrote to memory of 860 1348 chrome.exe 39 PID 1348 wrote to memory of 860 1348 chrome.exe 39 PID 1348 wrote to memory of 860 1348 chrome.exe 39 PID 1348 wrote to memory of 860 1348 chrome.exe 39 PID 1348 wrote to memory of 860 1348 chrome.exe 39 PID 1348 wrote to memory of 860 1348 chrome.exe 39 PID 1348 wrote to memory of 860 1348 chrome.exe 39 PID 1348 wrote to memory of 860 1348 chrome.exe 39 PID 1348 wrote to memory of 860 1348 chrome.exe 39 PID 1348 wrote to memory of 860 1348 chrome.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1e9bdbabd0a6e1065ad0c87c56d1300.exe"C:\Users\Admin\AppData\Local\Temp\a1e9bdbabd0a6e1065ad0c87c56d1300.exe"1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Users\Admin\AppData\Local\Temp\mi.exe"C:\Users\Admin\AppData\Local\Temp\mi.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\Temp\setup.exe"C:\Windows\Temp\setup.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1836
-
-
-
C:\Users\Admin\AppData\Local\Temp\cli.exe"C:\Users\Admin\AppData\Local\Temp\cli.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵PID:1200
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 1083⤵
- Loads dropped DLL
- Program crash
PID:1788
-
-
-
C:\Users\Admin\AppData\Local\Temp\cc.exe"C:\Users\Admin\AppData\Local\Temp\cc.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=64251 --headless --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User DataXDX0V" --profile-directory="Default"3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User DataXDX0V" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User DataXDX0V\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User DataXDX0V" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc8,0xcc,0xd0,0x9c,0xd4,0x7fef5679758,0x7fef5679768,0x7fef56797784⤵PID:976
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless --use-angle=swiftshader-webgl --headless --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --mojo-platform-channel-handle=792 --field-trial-handle=928,i,9173532557379163457,2049115052166524918,131072 --disable-features=PaintHolding /prefetch:24⤵PID:860
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=1216 --field-trial-handle=928,i,9173532557379163457,2049115052166524918,131072 --disable-features=PaintHolding /prefetch:84⤵PID:2692
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --first-renderer-process --remote-debugging-port=64251 --allow-pre-commit-input --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1532 --field-trial-handle=928,i,9173532557379163457,2049115052166524918,131072 --disable-features=PaintHolding /prefetch:14⤵PID:1388
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=64251 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=1920 --field-trial-handle=928,i,9173532557379163457,2049115052166524918,131072 --disable-features=PaintHolding /prefetch:14⤵PID:3040
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=64251 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2396 --field-trial-handle=928,i,9173532557379163457,2049115052166524918,131072 --disable-features=PaintHolding /prefetch:14⤵PID:656
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=64251 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2516 --field-trial-handle=928,i,9173532557379163457,2049115052166524918,131072 --disable-features=PaintHolding /prefetch:14⤵PID:1112
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=64251 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=2760 --field-trial-handle=928,i,9173532557379163457,2049115052166524918,131072 --disable-features=PaintHolding /prefetch:14⤵PID:1004
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=64251 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2660 --field-trial-handle=928,i,9173532557379163457,2049115052166524918,131072 --disable-features=PaintHolding /prefetch:14⤵PID:1792
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force1⤵PID:1680
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc1⤵PID:1672
-
C:\Windows\System32\sc.exesc stop UsoSvc2⤵
- Launches sc.exe
PID:2732
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc2⤵
- Launches sc.exe
PID:300
-
-
C:\Windows\System32\sc.exesc stop wuauserv2⤵
- Launches sc.exe
PID:1824
-
-
C:\Windows\System32\sc.exesc stop bits2⤵
- Launches sc.exe
PID:2200
-
-
C:\Windows\System32\sc.exesc stop dosvc2⤵
- Launches sc.exe
PID:868
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#syxapd#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }1⤵PID:2372
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"2⤵
- Creates scheduled task(s)
PID:2012
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 01⤵PID:2376
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 02⤵PID:700
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 02⤵PID:1884
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 02⤵PID:852
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 02⤵PID:2732
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"1⤵PID:2836
-
C:\Windows\system32\taskeng.exetaskeng.exe {3F2B08B8-1138-48B5-91C5-ABF58BD5167B} S-1-5-18:NT AUTHORITY\System:Service:1⤵PID:700
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"2⤵PID:668
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force1⤵PID:2376
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc1⤵PID:1920
-
C:\Windows\System32\sc.exesc stop UsoSvc2⤵
- Launches sc.exe
PID:1796
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc2⤵
- Launches sc.exe
PID:2436
-
-
C:\Windows\System32\sc.exesc stop wuauserv2⤵
- Launches sc.exe
PID:1988
-
-
C:\Windows\System32\sc.exesc stop bits2⤵
- Launches sc.exe
PID:524
-
-
C:\Windows\System32\sc.exesc stop dosvc2⤵
- Launches sc.exe
PID:2904
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 01⤵PID:2932
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 02⤵PID:300
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 02⤵PID:1316
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 02⤵PID:1848
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 02⤵PID:2756
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#syxapd#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }1⤵PID:676
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"2⤵
- Creates scheduled task(s)
PID:1656
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe1⤵PID:2884
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:3012
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9.7MB
MD584741bc02d2e9226a943aa03b6a4568d
SHA1617d01316011faf77fba30d49ae1e86ff988380a
SHA256fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA5121c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5531409b509dbb9d3815f38a7a9f0f354
SHA140e8915a229317a5ed6810afeb80f850f96a5269
SHA256557032355d7683e5734007291fb13b2f8bf947bac6d4a74e305187e602848313
SHA51232a6be9b3cc8efe303c0b3f590946642a3723512e41082e3702013076217b1ed3ddb32d1de8f7d77e81587a8c5475a5133e75a952e0d1fcb1cb5c4aeff587699
-
Filesize
1024KB
MD503c4f648043a88675a920425d824e1b3
SHA1b98ce64ab5f7a187d19deb8f24ca4ab5d9720a6d
SHA256f91dbb7c64b4582f529c968c480d2dce1c8727390482f31e4355a27bb3d9b450
SHA5122473f21cf8747ec981db18fb42726c767bbcca8dd89fd05ffd2d844206a6e86da672967462ac714e6fb43cc84ac35fffcec7ddc43a9357c1f8ed9d14105e9192
-
Filesize
40B
MD58a7a2bf5addf1335e4c20a852f42a9e1
SHA17c324442b2089d141d3fa0f1fbe3153f080ec7c0
SHA2560215577d2e5ad5bd60e2d376ff60d276e05761790ffda092793ec2aa60e3fbde
SHA5123972a40bd4c2584f6eede25f02278ea2993b3359031400849c112d311ad68b26f206983ad77143786c40e6d5530035f7600ba249979a906ae27ef8d272c7e412
-
Filesize
44KB
MD5f6b3949066248febd4908b713e7bef39
SHA1cb1ddcac67681aeae3ecd1b6d046aea52d3b3a9d
SHA2563b2c95cf971c1bc0fdc0f3c196b7146eab0050b30adb1502cc083f20b8251f91
SHA512e761017462dcc7e80c105ff76c20900c5dcf4510cf483380f7c5134fc0624bba0fc348ab0fc1d2d9e8f16fd193d51aad651efa412fe57b39e089af6b8c151923
-
Filesize
264KB
MD5eaff770ae20f3b5906e5109f27b8f671
SHA18ac94bd8f674029fa7b88ab34dd7839eefb12bdb
SHA256023575cb896d71258fcee3c5c14c385882b26eec6a3ba81232df79eac95382ac
SHA512947d3849662efaebe6000f0133b584bd54cb4eae8ecc71c56579e1d13af1b4e700d0ad154fd97493132b1ae4b14ff4df1d90dd2b4c527db6d8848dcee38e9de4
-
Filesize
1.0MB
MD5397e216ccbf724c50e44dc0d413bc307
SHA12e3dc42d59057bd6c1c55e7acd6a8984d0ec6566
SHA256267c2ca7ea7bb85ac7c409698f3d302e4bab93e95268fbdc5421628a8bc21eb2
SHA51271dc107f1283f854740e45db750eb689a8fecab5d9d64167a8b1b7f53888391e0aa231d5a8ba22b771e140c46b656ff8a6c0d7416b441624e0c25a1f73eae0bb
-
Filesize
4.0MB
MD5fbaa1f941120bfe9e184b9dbca725486
SHA16fe9f2f281f5be4f487e0c3dc5538cae912c463e
SHA25602209692bc25b0278b43a4766990e25329958cfe72e419b7fe399d8fa5b438c9
SHA51228b251a64942f331df9d035bc7fff3add99309c7b936ea3d1c99e953a3df6b9015af55508203d8b95ceeaf98c8897e1e330e08c1f52cfaa9833b6f251c9b8f6a
-
Filesize
54KB
MD5df6097ebb6b533e64ecbe4259fe0d077
SHA134298680922b88dac5fcb5c0e020a6eba28c153b
SHA256dbc7fde22571d7f67e343298c6bebd4c5776e60b03741c3edf66ea524ec3c201
SHA51272189e8d31d466c2a9973d8e009e669d92d6015db2edbd8ad3b5b49c320e47c46cc724806c36de356e2ccefe3e895e9b4b471214f4f528f27bb13a288a4ad7c2
-
Filesize
72KB
MD521808cd0724524589cd4ec1ce26f6d58
SHA1fc5cc4cb347ed20389626c58a6de396ef1ac5ada
SHA2561a7608a326717e18f424991b924d9c7319eb273cc3af432585d95ce8b068ca8d
SHA51236902ff35a1ed469aa9cab3856b1b0057ca7db8ea4d92ca1d129e68f02eebd5322a4e81aec29a2b1c0c289e2f82df13684ccf0305378878494260c4d4e6caf0d
-
Filesize
333KB
MD5da4cec20c30abd49c5b03cb178c6e5f7
SHA1c7a0efa3f505a46e5e5001e4fccbef753f52c119
SHA25611a703e00e1246b141133c860527146c54979728745aaa1858c20d819144f56a
SHA51260279e6b06b7d8994c1abc2e75617ff39562fcdcfb4b3d693d5db6b18e05eaea3bec033857bf1dc357a8e9b5228fbf272efd034f048ce4cefb6b005e18e0d26e
-
Filesize
333KB
MD5520afd77dd786dcba066db25d79d821e
SHA1bcdd8e966e4ef08da00b5f48cc062fd4c5852b73
SHA2569b4fb57a5c3dd6996892277112e7fabb483d69b444fbbe1935a769802b1ce303
SHA512fae19c262924331882857c8960c0a11b991aabc395c4be3e24387d4f342e92fc489b5771f711d6c50309da4cf55b0099452d0a2499c41faab774d89463756ae8
-
Filesize
22KB
MD59f1c899a371951195b4dedabf8fc4588
SHA17abeeee04287a2633f5d2fa32d09c4c12e76051b
SHA256ba60b39bc10f6abd7f7a3a2a9bae5c83a0a6f7787e60115d0e8b4e17578c35f7
SHA51286e75284beaff4727fae0a46bd8c3a8b4a7c95eceaf45845d5c3c2806139d739c983205b9163e515f6158aa7c3c901554109c92a7acc2c0077b1d22c003dba54
-
Filesize
39KB
MD5500ecdda9ad3e919a1f41c1588266a1b
SHA1d5ddf92dc08284a48701a4d3555590bda05f77e0
SHA256caad3feace9086d27e006d538d2daf4dd50e2b33307232a7db6d5f8c48f73b37
SHA5125e47a0d0721ec0f9adb5a439ffc98c1b4da780e74270332313f8350f228bdb919d32c4812c6ede84ebae3ead1342c2eaf4c73f4dfca5a87e8887e1b5913c0d9f
-
Filesize
89KB
MD5d453afffdfdc0b4a8dade7dc8c9572d6
SHA158059302d94ed9744e739e388d24bde852996908
SHA2569c34eeebfce83033015f38c7a605d1fed811fb54720409bfe06ad5c2c91fe2d1
SHA5122678c762ac65b5edebd1ae552e061495f551a4d037d0dfd0732c98c3e197e498a1b020c927e11f2c3dbd388dcd863f83990632581582e20767b8bb1a0b0f6927
-
Filesize
21KB
MD57d75a9eb3b38b5dd04b8a7ce4f1b87cc
SHA168f598c84936c9720c5ffd6685294f5c94000dff
SHA2566c24799e77b963b00401713a1dbd9cba3a00249b9363e2c194d01b13b8cdb3d7
SHA512cf0488c34a1af36b1bb854dea2decfc8394f47831b1670cab3eed8291b61188484cc8ab0a726a524ecdd20b71d291bcccbc2ce999fd91662aca63d2d22ed0d9f
-
Filesize
85KB
MD5424826f09a5a67968c84db6f4ee00859
SHA1b0914033d4a81f491210c917fbcd3792fe57b2ba
SHA256ebba4a15a3a62c95fd4e6db66e2c5915b836db7066327b56c18b8073a8640a87
SHA512cd172785ed9eb8f5e6697a3e29d36d9bc9a94b59df3983c4b47db10098bb62f172c87069c44fd49ea4a55917c27a568d0c1d1f269db1c8431d356cb686f7d2b1
-
Filesize
64KB
MD599374f3368b192f0ebb50e2ec284e2eb
SHA19415121c85654b2bf0a98576c11589ff304665c9
SHA25685e81bcb282f3c74de592b44362f4adc0271e43743de6bd3c984e59c840d7f28
SHA512582886a6ff12929ae865e2ceba30e96d0e5a77e2a09b6ba130f2416fc6ac544bc2bd2337df145dabbcae84d13a67e9922a0890c77c40b06149d562116b35a311
-
Filesize
90KB
MD5355dcc3d527c3e9cee6ad0819e479211
SHA12e31ed9f7f6214bcc6419de03438c6613357ce56
SHA2562096b2907f5170ec6a2eb2a418547e187f0e9e03ebd1b4fcf97c948acfb07f7c
SHA512d61d48c09735e749a7448ac05c577fabdd0b3508aff5acfbd256d141c9dedd209263ecc9d3ef0bfcf80dc83e64115530dba88c608c43f96ec3df366c24a983eb
-
Filesize
1.4MB
MD527cd2cadf2c6803021503d69ef6adb59
SHA142db3241dceb8e751bc394963be6c3a600c63438
SHA256d1b75085ea35b7053cf99dcd0764c28eb035f1228ca2fa4393040a0f1f4e3927
SHA5126f1862d0cf21c62bc047ebcf66fdabe392c18e3a4534206941fa9ccf0e155c51b1dac0d1409b2283de08fe22782b5d8f48d8956fd33c6e0ccb006a8a9f4acfec
-
Filesize
256KB
MD5efe5df9fbcbf52e23c2aafd8183b1df9
SHA149e2a54aa9b165665f15fdcfc2ea92658084da5e
SHA256d63c9981fd52d12d9768f1a19054de26e095c13ee81ef97b434821a1d8aa1fe6
SHA512d87a68c39aa293a1461aab09af8bd202c5ac24be6d4e18ed806ef165de37a49aae014db8d7c0ddff072101483fb21bbf26d0bb4e72f24a29148b195edb4c9bc3
-
Filesize
355B
MD56da3196a11e64ec24ce6ddf2b95f8e6a
SHA179b778792f863103ea68ee7896a6cfd34a06d2f2
SHA256bde15f6e713756359d7070b05261e310cb05d4bb69b4db10956d79d44cd143d7
SHA512d0a41024a0ef41e1c9b2a8f239804201c36de5a33c9e6baa1fa81421e12a26039a080733896b18085d1f821528e2b7545979482071fa467cc7ded7434e4c88cf
-
Filesize
319B
MD56c6789677c32ae5b3c6fbc0cd75051cb
SHA1897bbf745fce26464ecf513c820f8d140c052b7e
SHA25673e4f081f2be73f68832eaf47c444e78f1afe214b8278d7ad9e87c4aca930e20
SHA5125aa5efe882d741e63d0e96efe764058195e48362e8dcda207f07049dba0aceff30a4ea3ade2c26658bfc4d3a32fd73915c9ef20a11cd1fd2cdf61b0790311972
-
Filesize
248B
MD5fbfbbbf2cd44c911a4ab5238ca19a56c
SHA127d3819894b7c0d20b807c2a8e75b9f24a2089c8
SHA256c66819cd4597a92ea2c0bdfaa5e192d59cab30cf872c37cbd4152f9d7080a6ad
SHA51220098bea76c52cfc749d67635d7a43442ed9c6fb26350061acd902e00de497ea96175e66f32f207f407a9f24b6f91f6768139b1628882ca6e7aa5d8bae428d25
-
Filesize
216B
MD55f3b952dec79b2944a56a955cc321ab7
SHA140f8e3f6328bc53b179ba167a99754f5e80835b1
SHA256bf34a8a2341cea9577f3508d17f3b570cfe546fb36fc7c0793fc6fc07572ce59
SHA512b266b23603970625b0e27b626572201a749cd0e65d306c355aa6221d7af37c6c2cfb70541940390f86858cff53a20744d50fc8d6bc85e04af9682686a4b5aceb
-
Filesize
2KB
MD5f7b92893cadea13895ead8da89f6f312
SHA199293c44f4133dc893c3a8f0c3520bc94f91a186
SHA2560602e75af1bdbbfbe2d483f9776f0f7fa5d05f18b599cfc206a4433a14f3b17f
SHA512cfe6d9c31a9a545ab2e63a706b2bdb105cd69dace61e7be3711458f961847077b9da533aa8c289e224b45ee36bf871026758d480ac398e1236e684f8f5a097a4
-
Filesize
240B
MD54a1fd417e9e13cd0a057715740056093
SHA12951410cb1aa783e70f1d15ff183a97c4c8552aa
SHA256eaaf5b72dcf665c57a3d7440bd28247a6442e363c6a6464d5c012ce54b072270
SHA512b494c635244afd248af9a121f3e6848001e0a7be91ffd8725e9cfb40ff15d71c34d7e285a077a9d0cd5866aa7a890fa09cdb7d2b5178c7a1273a265fa315f967
-
Filesize
252B
MD5579bc5f289d91faacbc39b287e04ea25
SHA1cb2e4e31c295b7c55967595af6a2017662bc87b7
SHA2562ad596f350820f7ff12d5e32229a4e91c4c0dba2224b5593c96320e02026019d
SHA512f288a0fc19e678d0a9fd906ff5ee31f104ca8cc82a074a9d27f111b7d71368c1ac8c4761df54f9dc9b5a0f02039292ffcbe16bde3a995cd6cf48d963613dcfe1
-
Filesize
347B
MD57aa3af7a3728e8a5ac2d322e6ce0ef14
SHA1cda9bb6083455000503c0250b7229693a5a8402e
SHA256f58b12fe85188b191d13159afc4115a4a1c448acd75587ad0a881b5c78f96dd3
SHA512dac9550c904110480bcd83e35807890767dc18181aa36db8d5be88696621f92d710d378ee1f91a057416ee735fd2aedea886fec3cebc9004d9e73b11a4bb2876
-
Filesize
2KB
MD549cc29524f8a5c0809d6c901834c54c1
SHA19894263cf05aea281124608dbffdd789c822e9d2
SHA256a0cd1050c571ba35e3d850934e2b80c3b1d8857edcf6145bab65b5eb2d4e9f43
SHA512761f724f5913156379896cc81d169f39ff3904ffbf4ead2b719bcf868b74df478f1e2eeb94169e0192edc47071d23e984d305126e729acd0dd5c022ffcb15a6e
-
Filesize
1KB
MD59c2319fe40185f1c9b17ca1d9f0e9d4e
SHA171f8601c78b05603513f6bb189293067a48b361c
SHA256fb758b8383a6d1d13075b2b56c118abfd6ff32f54923d42d70c8604a57bf6055
SHA5126524a0cda44e394bdd986ceee4436011c4d51fb039bc198aef9d39e096cd2d379860581fe8f7a4551631049fba873e390dd3b76cb0814ab4a3a5f54ef6b9a612
-
Filesize
204B
MD5b33849aba8a2fbfe09025d034bfbae91
SHA16daa6b5935a453e400416e31d59731de3134bc2b
SHA256ccd37bb7aee47ab5d343acef5e8d1960ef40ba970575d448b41331c6c3aa9155
SHA5120996af590a4196f15448804dcd66e0f517e125ee3b5988fc8f6c81fe7c38d4ba7e41c5606322f2d4133953d8e14f8f29872c59367c564510c8dbb3ac2b98b4d8
-
Filesize
1KB
MD50b85473dc8417f3ae33633625674c501
SHA10cf08872a15cd5f308ca7979730682b4a4f6e93f
SHA2566012a93470676baa19a2355dff197e61d5da518f285361ed505084b0c0d8c607
SHA512a2f9b5f06828a0f928eb7de4cc04d64de02befe8b214e69e6909f483938587c27c6a81b3042fd542bc713139d5fabbf13df8b3e90a7038f2fdc0e80d8aa79c54
-
Filesize
8KB
MD5cf89d16bb9107c631daabf0c0ee58efb
SHA13ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA5128cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0
-
Filesize
8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
Filesize
8KB
MD541876349cb12d6db992f1309f22df3f0
SHA15cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e
-
C:\Users\Admin\AppData\Local\Google\Chrome\User DataXDX0V\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\000002.dbtmp
Filesize16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
136B
MD5bdef8f53358646da8304d00e7ff0b2e1
SHA1389f0c392c979745331f652151cc0f4d2ca318b6
SHA2561e23b744729889e12f1b6e97b6956f765ac0e3c6167d65b9de92152f9db70ebd
SHA512a478a1ab72bbbfc4f3b5a55097305736bf4e45faa4495674c1031222cde1b6cd32f2d99423e8bdb5a9aadfe2ee7090652c00e0cbffb163f534e54df1c9e7268a
-
Filesize
190B
MD59a5fa3edd2c2af71986199fe74033097
SHA1b4516b6b87ef5387d4bbb585c883cec7fa48c44c
SHA256c352e18654165e2cdbf584baebf798bbcdd0ae021121a23d89c9a49137782b96
SHA512c3f06507d460b07215b8881ac0c1f9ac1753ec831446ac236257ab2e0027ed5523549ed9c7b9e51ca945404fde31b5dc36ab114509873cf69760378172879811
-
C:\Users\Admin\AppData\Local\Google\Chrome\User DataXDX0V\Default\Local Storage\leveldb\MANIFEST-000004
Filesize50B
MD5031d6d1e28fe41a9bdcbd8a21da92df1
SHA138cee81cb035a60a23d6e045e5d72116f2a58683
SHA256b51bc53f3c43a5b800a723623c4e56a836367d6e2787c57d71184df5d24151da
SHA512e994cd3a8ee3e3cf6304c33df5b7d6cc8207e0c08d568925afa9d46d42f6f1a5bdd7261f0fd1fcdf4df1a173ef4e159ee1de8125e54efee488a1220ce85af904
-
Filesize
20KB
MD5c9ff7748d8fcef4cf84a5501e996a641
SHA102867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA2564d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73
-
C:\Users\Admin\AppData\Local\Google\Chrome\User DataXDX0V\Default\Session Storage\CURRENT~RFf773ffd.TMP
Filesize16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
931B
MD543b06e8bdd74aa1cb65e5376a4cf3bfb
SHA1f0ddc99b9d3441dd13ba4a66ecee36e3098b605b
SHA256e54e3be47d999f693861c85ebe68ce3ec61e9346acf17705b759736456706eee
SHA5128cbd5a637462f2094e8554b7545238b1bc0159e5e8f3c605dcb802f3442ed1ed26bef9c63ff79d9a0c9b7ca8405640b4279d5477988bbaba625a0b76b6d04a28
-
Filesize
60B
MD5819f3ba0a1b6e7578e9bac0bf57be424
SHA1c6285be08e456f332bc4354473c4a20eb6369784
SHA2566fd90549eb829da9661799a0d71162bd54981581ef38fc9d13916e7cf3df2e66
SHA512fbaa632281b8fb07cb9a281beced11853dad290d931a3258ce6a737d317d444af95baca87580cdfe2d504ad86df9e167070fd9d3ae9f49ace6bd6ad2e2a5c21f
-
Filesize
89KB
MD554c3e178d0c95f1a67daa871bc235850
SHA1c57a684e4ecb5beb841a5d5e91bdcbdcd119d85b
SHA256992254b4484d15d283fbf2108614a0c6b614c95a781f8e4f6647fff65e5f9671
SHA512c61c0bec3d0576d0a7e7764f08e21ccf96d5f79da18f4b175ff9d83d0c5c4321ec6002a28ec5438fed559e7199e310f64f587bc8bd3be1d5a89961188d215f8a
-
Filesize
62KB
MD53ac860860707baaf32469fa7cc7c0192
SHA1c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c
-
Filesize
164KB
MD54ff65ad929cd9a367680e0e5b1c08166
SHA1c0af0d4396bd1f15c45f39d3b849ba444233b3a2
SHA256c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6
SHA512f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27
-
Filesize
6.2MB
MD5858f82fe9166c34b6709a3adfe6a625f
SHA163275e4b77e0fe6fa6f1db716b5963b69b68f8a5
SHA2568ec2c1bb10e05a5129269488b53a46c6b5be3691c61ef7da7c6eecf1c0444b28
SHA5121338082ebb6bf658125cd6d72f5885c78865c1abbed50fd10317dacaf41a450eb98b949631f1a1b94a67d335b23cfc0fa78d0d8db3d726adf2a57af50307b89e
-
Filesize
2.2MB
MD5b78141a544759e1a07740aa28b35584c
SHA1af95ccd7d12c7ed7bdc6782373302118d2ebe3a8
SHA256e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d
SHA5122f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959
-
Filesize
9.9MB
MD580b0b41decb53a01e8c87def18400267
SHA1885f327c4e91065486137ca96105190f7a29d0f9
SHA25610d8e7a04d05a2690a7e0cc30c10028eda0af680a8787f24cb9668ccbe46e1e1
SHA51219bd6c9ab0cfbba34e722f508fcb4a99ae78a0d71ef664b186034c78eda09a61ae63455f7958dd5a50ec6432c822b23582ca7c87309a37fcbbb28e5facf56c8e
-
Filesize
9.9MB
MD580b0b41decb53a01e8c87def18400267
SHA1885f327c4e91065486137ca96105190f7a29d0f9
SHA25610d8e7a04d05a2690a7e0cc30c10028eda0af680a8787f24cb9668ccbe46e1e1
SHA51219bd6c9ab0cfbba34e722f508fcb4a99ae78a0d71ef664b186034c78eda09a61ae63455f7958dd5a50ec6432c822b23582ca7c87309a37fcbbb28e5facf56c8e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5a7a92c1b8023cf192fbd5d14851c448f
SHA18e667e623963878b9a60f684dd3e824739cb3aa1
SHA25696aac9dd4b3dd0c1af0f1116604d03e7b14d1ab9cf3f6fb4eb80340a18755b6e
SHA51275ca65bbcfd9a465b87952e815dab631759d62ff3adc8ae01d019022bb391e139e861d64c309a1499e556be56ea47f89d2e868d9c5af448e2b2c445e8a77f2e5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\R4V6IRLHA2FOTB57PWNP.temp
Filesize7KB
MD5a7a92c1b8023cf192fbd5d14851c448f
SHA18e667e623963878b9a60f684dd3e824739cb3aa1
SHA25696aac9dd4b3dd0c1af0f1116604d03e7b14d1ab9cf3f6fb4eb80340a18755b6e
SHA51275ca65bbcfd9a465b87952e815dab631759d62ff3adc8ae01d019022bb391e139e861d64c309a1499e556be56ea47f89d2e868d9c5af448e2b2c445e8a77f2e5
-
Filesize
9.7MB
MD584741bc02d2e9226a943aa03b6a4568d
SHA1617d01316011faf77fba30d49ae1e86ff988380a
SHA256fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA5121c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379
-
Filesize
9.7MB
MD584741bc02d2e9226a943aa03b6a4568d
SHA1617d01316011faf77fba30d49ae1e86ff988380a
SHA256fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA5121c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379
-
Filesize
9.7MB
MD584741bc02d2e9226a943aa03b6a4568d
SHA1617d01316011faf77fba30d49ae1e86ff988380a
SHA256fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA5121c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379
-
Filesize
2KB
MD52b19df2da3af86adf584efbddd0d31c0
SHA1f1738910789e169213611c033d83bc9577373686
SHA25658868a299c5cf1167ed3fbc570a449ecd696406410b24913ddbd0f06a32595bd
SHA5124a1831f42a486a0ad2deef3d348e7220209214699504e29fdfeb2a6f7f25ad1d353158cd05778f76ef755e77ccd94ce9b4a7504039e439e4e90fa7cde589daa6
-
Filesize
9.7MB
MD584741bc02d2e9226a943aa03b6a4568d
SHA1617d01316011faf77fba30d49ae1e86ff988380a
SHA256fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA5121c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379
-
Filesize
6.2MB
MD5858f82fe9166c34b6709a3adfe6a625f
SHA163275e4b77e0fe6fa6f1db716b5963b69b68f8a5
SHA2568ec2c1bb10e05a5129269488b53a46c6b5be3691c61ef7da7c6eecf1c0444b28
SHA5121338082ebb6bf658125cd6d72f5885c78865c1abbed50fd10317dacaf41a450eb98b949631f1a1b94a67d335b23cfc0fa78d0d8db3d726adf2a57af50307b89e
-
Filesize
2.2MB
MD5b78141a544759e1a07740aa28b35584c
SHA1af95ccd7d12c7ed7bdc6782373302118d2ebe3a8
SHA256e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d
SHA5122f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959
-
Filesize
2.2MB
MD5b78141a544759e1a07740aa28b35584c
SHA1af95ccd7d12c7ed7bdc6782373302118d2ebe3a8
SHA256e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d
SHA5122f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959
-
Filesize
2.2MB
MD5b78141a544759e1a07740aa28b35584c
SHA1af95ccd7d12c7ed7bdc6782373302118d2ebe3a8
SHA256e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d
SHA5122f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959
-
Filesize
2.2MB
MD5b78141a544759e1a07740aa28b35584c
SHA1af95ccd7d12c7ed7bdc6782373302118d2ebe3a8
SHA256e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d
SHA5122f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959
-
Filesize
9.9MB
MD580b0b41decb53a01e8c87def18400267
SHA1885f327c4e91065486137ca96105190f7a29d0f9
SHA25610d8e7a04d05a2690a7e0cc30c10028eda0af680a8787f24cb9668ccbe46e1e1
SHA51219bd6c9ab0cfbba34e722f508fcb4a99ae78a0d71ef664b186034c78eda09a61ae63455f7958dd5a50ec6432c822b23582ca7c87309a37fcbbb28e5facf56c8e
-
Filesize
9.7MB
MD584741bc02d2e9226a943aa03b6a4568d
SHA1617d01316011faf77fba30d49ae1e86ff988380a
SHA256fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA5121c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379